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CENTAL PAX CENTBR 

MAY 0 1 2006 



IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In rc application of: Koved et al. 

Serial No.: 10/002,439 

Filed: November 1, 2001 

For: Method and Apparatus for Type 
Independent Permission Based Access 
Control 

35525 

PATKNT TRADEMARK OFFTCF. 
CUSTOMER NUMBER 



§ Group Art Unit 2131 
§ 

§ Examiner: Abrishnmkar, Kaveh 

§ 

§ Attorney Docket No.: AUS920010941US1 



Certificate of Transmission Under 37 C.F.R. a 1.8(a) i 
I hereby certify this correspondence is being transmitted via 
facsimile to the Commissioner for Patents, P.O. Box 1450. 
Alexandria, va 22313-1450, facsimile number (371) 273-8300 




Jane M. Roberts 



TRANSMITTAL 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 223 1 3-1450 

Sir; 

ENCLOSED HEREWITH: 

• Response to Notice of Non-Compliant Appeal Brief; 

• Copy of Notice of Non-Compliant Appeal Brief; and 

• Replacement Appeal Brief. 

No fees are believed to be required. If, however, any fees are required, 1 authorize the 
Commissioner to charge these fees which may be required to Yee & Associates, P.C. Deposit Account No. 
50-3 1 57. No extension of time is believed to be necessary. If, however, an extension of time is required, 
the extension is requested, and 1 authorize the Commissioner to charge any fees for tilts extension to Yee & 
Associates^ P.C. Deposit Account No. 50-3157, 

Respectfyllv^ubmitted^ 



Rakesh Garg 
Registration No. 57,434 
AGENT FOR APPLICANTS 

Duke W. Yee 
Registration No. 34,285 
Yee & associates, P-C 
P.O. Box 802333 
Dallas, Texas 75380 
(972) 385-8777 

ATTORNEY FOR APPLICANTS 
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RECEIVED 

CENTRAL FAX CENTER 
IN THE UNITED STATES PATENT AND TRADEMARK OFFICE ^ fl j 



In re application: Koved ct ah 

Serial No.: 10/002,439 

Filed: November 1, 2001 

For: Method and Apparatus for Type 
Independent Permission Based Access 
Control 



35525 

PATENT TRADEMARK OFFICE 
CUSTOMER NUMBER 



§ 
§ 

§ Group Art Unit: 2131 
§ 

§ Examiner Abrishamkar, Kaveh 

§ 

§ Attorney Docket No.: AUS9200194JXISJ 



Certificate of Transmission Under 37 C.F.R. 3 1.8(a) 
I hereby certify this correspondence is being transmitted via 
facsimile to the Commissioner for Patents, P.O. Box 1450, 
Alexandria, VA 223 1 3- 1 450, facsimile number (571 ) 273-8300 
on May 1,2006. 



By: Oft**- 
( /Jane M, 



'anc M. Roberts 



RESPONSE TO NOTICE OF NON-COMPLIANT APPEAL BRIEF 

Commissioner for Patents 
P.O.Box 1450 
Alexandria, VA 22313-1450 

Sir: 

A Notice of Non-Compliant Appeal Brief was received by Applicants stating that "the Appeal Brief 
filed on 08 February 2006 is defective for failure to comply with one or more provisions of 37 CFR 4 1 3T\ 
A copy of the Notice of Non-Compliant Appeal Brief is attached hereto. 

No fees are believed to be required. If, however, any fees are required, T authorize the 
Commissioner to charge these fees which may be required to Yee & Associates, P.C. Deposit Account No. 
50-3 157. No extension of time is believed to be necessary. If, however, an extension of time is required, 
the extension is requested, and 1 authorize the Commissioner to charge any fees for this extension to Yee & 
Associates, P.C. Deposit Account No. 50-3 157. 
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REMARKS 



These amendments were made to reflect the Ground of Rejection heading in order to meet the 37 
C.F.FL 41 J7(cXl )(vi) requirements. No new matter has been added by these amendments. 



Date: Mav__l .J2Q_0_6 Respectfully submitted, 




Rakesh < 
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Yee & Associates, F.C 
P.O. Box 802333 
Dallas, Texas 75380 
(972) 385-8777 
AGENT FOR APPLICANTS 
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United States Patent and Trademark Office 

" UNITED STATES DEPARTMENT OF COMMERCE 
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AlcwnHW*. Vtf Shift 22313-1450 
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10/002,439 11/01/2001 Lawrence Kovcd AUS920010941US 3558 

35525 7590 04/19/2006 | EXAMINER | 

IBM CORP (YA) 
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Application No. 


Applicants) 


Notification of Non-Compliant Appeal Brief 


10/002,439 


KOVEO ET AL. 


(37 CFR 41.37) 


Examiner 


Art Unit 






Kaveh Abrishamkar 


2131 





-The MAILING DA TE of this communication appears on the cover sheet with the correspondence address- 



The Appeal Brief filed on is defective for failure to comply with one or more provisions of 37 CFR 41 .37. 

To avoid dismissal of the appeal, applicant must file anamended brief or other appropriate correction (see MPEP 
1205.03) within ONE MONTH or THIRTY DAYS from the mailing date of this Notification, whichever Is Conger. 
EXTENSIONS OF THIS TIME PERIOD MAY BE GRANTED UNDER 37 CFR 1.136. 



1 . □ The brief does not contain the items required under 37 CFR 41 .37(c), or the items are not under the proper 

heading or in the proper order, 

2. □ The brief does not contain a statement of the status of all claims, (e.g., rejected, allowed, withdrawn, objected to, 

canceled), or does not identify the appealed claims (37 CFR 41 .37(c){1)(iii)). 

3. □ At least one amendment has been Fried subsequent to the final rejection, and the brief does not contain a 

statement of the status of each such amendment (37 CFR 41 .37(c)(1 )(iv)). 

4. □ (a) The brief does not contain a concise explanation of the subject matter defined in each of the independent 

claims involved in the appeal, referring to the specification by page and line number end to the drawings, if any, 
by reference characters; and/or (b) the brief fails to; (1) identify, for each independent claim Involved in the 
appeal and for each dependent claim argued separately, every means plus function and step plus function under 
35 U.S.C. 1 12. sixth paragraph, and/or (2) set forth the structure, material, or acts described in the specification 
as corresponding to each claimed function with reference to the specification by page and iine number, and to 
the drawings, if any, by reference characters (37 CFR 41 .37(c)(1 )(v)). 

5. K The brief does not contain a concise statement of each ground of rejection presented for review (37 CFR 

4l.37(c)(1)(vi)) 

6. □ The brief does not present en argument under a separate heading for each ground of rejection on appeal (37 CFR 

41.37(c)(1)(vii)). 

7. □ The brief does not contain a correct copy of the appealed claims as an appendix thereto (37 CFR 

41.37(c)(1)(viii)). 

8. □ The brief does not contain copies of the evidence submitted under 37 CFR 1 .130. 1 .1 31 , or 1 .1 32 or of any 
^ other evidence entered by the examiner and relied upon by appellant In the appeal, along with a 

statement setting forth where in the record that evidence was entered by the examiner, as an appendix 
thereto (37 CFR 41 -37(c)(1 )(ix)). 

9. □ The brief does not contain copies of the decisions rendered by a court or the Board in the proceeding 

identified in the Related Appeals and Interferences section of the brief as an appendix thereto (37 CFR 
41.37(cK1)(x)). 

10. G Other (including any explanation in support of the above items): 

The Aooeaf brief does not contain a con ci se statement of the grounds of rejection for review. but_m sp?ad testates the 
status of the claims. 




SUPERVISORY PATENT EXAMINER 



J.5. PBtont and Tradranartt Office 

PTOL-462 (Rev. 7-05) Notification of Non-Compliant Appeal Brief (37 CFR 41 .37) Part.of Paper No. 2006041 3 
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Docket No. AUS920010941US1 



RECEIVED 
CENTRAL FAX CENTER 

MAY 0 1 2006 PATENT 



IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re application of: Koved et aL 
Serial Na: 10/002,439 
Filed: November 1, 2001 



For Method and Apparatus for Type § 
Independent Permission Based Access § 
Control 



§ 

§ Group Art Unit: 2131 
§ 

§ Examiner: Abrishamkar, Kaveh 



§ 



Commissioner for Patents 
PX>- Box 1450 
Alexandria, VA 22313-1450 



CertlflaitfLQf Traiianifflion Under 37 CF.R, $ I &r) 
I hereby certify this correspondence is being transmitted via 
facsimile to the Commissioner for Patents, P.O. Box 1450» 
Alexandria, VA 22313-1450, facsimile number (571) 273-8300, 
on May 1, 2006. 



REPLACEMENT APPEAL BRIEF (37 CF.R. 41 37) 

This replacement brief is in furtherance of the Notice of Appeal, filed in this case on 
December 20, 2005. 



The fees required under § 41.20(B)(2), and any required petition for extension of time for 
filing this brief and fees therefore, are dealt with in the accompanying TRANSMITTAL OF 
REPLACEMENT APPEAL BRIEF. 



(Replacement Appeal Brief Page 1 of 37) 
Kovcdetal- 10/002.439 
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REAL PARTY IN INTEREST 

The real party in interest in this appeal is the following party: International Business 
Machines. 



(Replacement Appeal Brief Page 2 of 37) 
Kovcd et al. - 10/002,439 

PAGE Vtt'RCVD AT 51112006 2:59:55 PM [Eastern Daylight Time] ' SVR:USPTO-EFXRF-6/13 * DN1S:2738300 1 CSID:9723857766 1 DURATION (mm-ss):11-26 



05/01/2086 14:02 9723857766 



YEE & ASSOCIATES, PC 



PAGE 09/43 



RELATED APPEALS AND INTERFERENCES 

With respect to other appeals or interferences that will directly affect, or be directly 
affected by, or have a bearing on the Board's decision in the pending appeal, no such appeals or 
interferences are present. 



(Replacement AppeaJ Brief Page 3 of 37) 
Koved eta!. - 107002,439 
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STATUS OF CLAIMS 

A. TOTAL NUMBER OF CLAIMS IN APPLICATION 

Claims in the application are: 1-30 

B. STATUS OF ALL THE CLAIMS IN APPLICATION 



2. Claims withdrawn from consideration but not canceled; None 

3. Claims pending: 1-30 

4. Claims allowed: None 

5. Claims rejected: 1-30 

6. Claims objected to: None 



1. 



Claims canceled: None 



C. 



CLAIMS ON APPEAL 



The claims on appeal are: 1-30 



(Replacement Appeal Brief Page 4 nf 37) 
Kovcd etal.- 10/002.439 
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STATUS OF AMENDMENTS 

No amendments were filed after the final office action dated September 22, 2005. 



(Replacement Appeal Brief Page 5 of 37) 
KovcdctaJ.- 10/002,439 
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SUMMARY OF CLAIMED SUBJECT MATTER 

A. CLAIM 1 - INDEPENDENT 

The subject matter of claim 1 is directed to a method of controlling access to computer 
system resources based on permissions. The claimed invention comprises the steps of receiving 
a request for access to a computer system resource (figure 6; Specification, p. 6, 11. 21-23, p. 15, 
11. 8-11, p. 19, 11. 26-3 1); determining if a superclass permission of a required permission is 
present in each protection domain of an access control context (figure 6; figure 9> reference 
numeral 970; figure 10, reference numeral 1030; Specification, p. 20, 11. 16-21), where the 
superclass* permission is a super class of the required permission (Specification, p. 18, II. 5-32; 
Specification, p. 21, 11. 1 1-14; figures 5, 7A-7C); adding the required permission to a permission 
collection if the superclass permission of the required permission is present in each protection 
domain of the access control context (Specification, p. 20, 11. 16-23; figure 9, reference numeral 
980; figure 10, reference numeral 1040); and granting access to the resource if the superclass 
permission of the required permission is present in each protection domain of the access control 
context (figure 6; figure 9, reference numeral 995; figure 10, reference numeral 1050; 
Specification, p. 24, 11. 4-13, p. 25, 11. 18-22), 

B, CLAIM 3 - DEPENDENT 

The subject matter of claim 3 is directed to the method of claim 1 and further comprising 
the steps of determining the required permission based on a CodeSource associated with the 
request (Specification, p. 19, 11. 26-31; figure 9, reference numeral 920); and determining the 
superclass permission of the required permission based on the required permission 
(Specification* p. 20, 11. 16-21). 

C CLATM 4 - DEPENDENT 

The subject matter of claim 4 is directed to the method of claim 1 . In this claim, 
determining if a superclass permission of a required permission is present in each protection 

(Replacement Appeal Brief Page 6 of 37) 
KovcdctaL- 10/002.439 
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domain includes determining if at least one permission collection in each protection domain 
includes the superclass permission (Specification, p. 17^ II. 24-27, p. 23, 11. 29-32; figure 9, 
reference numeral 970). 

D. CLAIM 5 - DEPENDENT 

The subject matter of claim 5 is directed to the method of claim 1 . In this claim, the 
adding of the required permission to a permission collection includes creating a new permission 
collection and adding the required permission to the new permission collection (Specification p. 
20, 11. 12-23). 

E- CLAIM 6 - DEPENDENT 

The subject matter of claim 6 is directed to the method of claim S. In this claim, the 
adding of the required permission to a permission collection also includes adding any subclass 
permissions of the required permission to the new permission collection (Specification, p. 20, 1. 
3] - p. 21,1. 10). 

F. CLAIM 8 - DEPENDENT 

The subject matter of claim 8 is directed to the method of claim. In this claim, the adding 
of the required permission to a permission collection includes adding the permission to a 
permission collection associated with the superclass permission (Specification, p. 20, 11. 12-23). 

G. CLAIM 11 - INDEPENDENT 

The subject matter of claim 1 1 is directed to a computer program product in a computer 
readable medium for controlling access to computer system resources based on permissions. The 
claimed invention comprises instructions for receiving a request for access to a computer system 
resource (figure 6; Specification, p. 6, 11. 21-23, p. 15, 11. 8-1 1, p. 19, 11. 26-31); instructions for 
determining if a superclass permission of a required permission is present in each protection 
domain of an access control context (figure 6; figure 9, reference numeral 970; figure 10, 

(Replacement A|>pcal Brief Page 7 of 37) 
Kovedctal.-10/002_.439 
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reference numeral 1030; Specification, p. 20, 11. 16-21), where the superclass permission is a 
super class of the required permission (Specification, p. 18, IK 5-32; Specification, p. 21, U- H- 
14; figures 5, 7A-7C); instructions for adding the required permission to a permission collection 
if the superclass permission of the required permission is present in each protection domain of 
the access control context (Specification, p. 20, 11. 16-23; figure 9 ? reference numeral 980; figure 
1 0, reference numeral 1 040); and instructions for granting access to the computer system 
resource if the superclass permission of the required permission is present in each protection 
domain of the access control context (figure 6; figure 9, reference numeral 995; figure 10, 
reference numeral 1050; Specification, p. 24, II. 4-13, p. 25, 11. 18-22). 

HL CLAIM 13 - DEPENDENT 

The subject matter of claim 13 is directed to the computer program product of claim 1 1. 
This claim includes additional instructions for determining the required permission based on a 
CodeSource associated with the request (Specification, p. 19, 11. 26-31; figure 9, reference 
numeral 920); and additional instructions for determining the superclass permission of the 
required permission based on the required permission (Specification, p, 20, 11. 16-21). 

I- CLAIM 14 - DEPENDENT 

The subject matter of claim 14 is directed to the computer program product of ctaim 1 1. 
In this claim the instructions for determining if a superclass permission of a required permission 
is present in each protection domain include instructions for determining if at least one 
pennission collection in each protection domain includes the superclass permission 
(Specification, p. 17 ? 11. 24-27, p. 23, 11. 29-32; figure 9, reference numeral 970). 

J. CLAIM 15 - DEPENDENT 

The subject matter of claim 1 5 is directed to the computer program product of claim 1 1 . 
In this claim, the instructions for adding the required permission to a permission collection 
include instructions for creating a new permission collection and instructions for adding the 
required permission to the new permission collection (Specification p. 20, 11. 12-23). 

(Replacement Appeal Brief Page 8 of 37) 
Kovedetal- 10/002,439 

PAGE 14/43 1 RCVD AT 5/1/2006 2:59:55 PM [Eastern Daylight Time] * SVRiUSPTO'ff XRF-5/13 * DNIS:2738300 1 CSID:9723857766 * DURATION (mnws):11-26 



05/01/200S 14:02 9723857766 



YEE & ASSOCIATES, PC 



PAGE 15/43 



IC CLAIM 16 - DEPENDENT 

The subject matter of claim 16 is directed to the computer program product of claim 15. 
In this claim, the instructions for adding the requited permission to a permission collection 
additionally include instructions for adding any subclass permissions of the requited permission 
to the new permission collection (Specification, p. 20, 1. 3 1 - p. 2 1 , 1. 1 0). 

L. CLAIM 1 8 - DEPENDENT 

The subject matter of claim 18 is directed to the computer program product of claim J 1. 
In this claim, the instructions for adding the required permission to a permission collection 
include instructions for adding the permission to a permission collection associated with the 
superclass permission (Specification p. 20, 11. 12-23). 

M. CLAIM 21 - INDEPENDENT 

The subject matter of claim 21 is directed to an apparatus for controlling access to 
computer system resources based on permissions. The claimed invention comprises means for 
receiving a request for access to a computet system resource (figure 6; Specification, p. 6, Ih 21- 
23, p. 15, 11. 8-1 1, p. 19, 11, 26-31); means for determining if a superclass permission of a 
required permission is present in each protection domain of an access control context (figure 6; 
figure 9 3 reference numeral 970; figure 10, reference numeral 1030; Specification, p. 20, il. 16- 
21), wherein the supetclass permission is a super class of the required permission (Specification, 
p, 18, 11. 5-32; Specification, p. 21, 11. 11-14; figures 5, 7A-7C); means for adding the required 
permission to a permission col lection if the supetclass permission of the required permission is 
present in each protection domain of the access control context (Specification, p. 20, 11. 16-23; 
figure 9, reference numeral 980; figure 1 0, reference numeral 1040); and means for granting 
access to the computer system resource if the superclass permission of the requited permission is 
present in each protection domain of the access control context (figure 6; figure 9 5 reference 
numeral 995; figure 10, reference numeral 1050; Specification, p. 24, 11, 4-13, p. 25* 11, 18-22). 



(Replacement Appeal Brief Page 9 of 37) 
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N. CLAIM 23 - DEPENDENT 

The subject matter of claim 23 is directed to the apparatus of claim 21 . This claim 
contains additional means for determining the required permission based on a CodeSource 
associated with the request (Specification, p. 19, 11 26-3 1; figure 9, reference numeral 920); and 
additional means for determining the superclass permission of the required permission based on 
the required permission (Specification, p. 20, II. 1 6-21). 

O. CLAIM 24 - DEPENDENT 

The subject matter of claim 24 is directed to the apparatus of claim 21 . In this claim, the 
means for determining if a superclass permission of a required permission is present in each 
protection domain includes means for determining if at least one permission collection in each 
protection domain includes the superclass permission (Specification, p. 1 7, 11. 24^27, p. 23, 11. 29- 
32; figure 9, reference numeral 970). 

P. CLAIM 25 - DEPENDENT 

The subject matter of claim 25 is directed to the apparatus of claim 21 . In this claim, the 
means for adding the required permission to a permission collection includes means for creating 
a new permission collection and means for adding the required permission to the new permission 
collection (Specification p. 20, 11. 12-23). 

Q. CLAIM 26 - DEPENDENT 

The subject matter of claim 26 is directed to the apparatus of claim 25. In this claim, the 
means for adding the required permission to a permission collection also includes adding any 
subclass permissions of the required permission to the new permission collection (Specification, 
p. 20, 1.31 -p. 21,1. 10). 



(Replacement Appeal Brief Page 10 of 37) 
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R. CLAIM 27 - DEPENDENT 

The subject matter of claim 27 is directed to the apparatus of claim 21 . This claim 
additionally contains means for retrieving the access control context for a thread of execution 
that sent the request for access to the computer system resource (Specification, p. 20, 11 1-6; 
figure 6, reference numeral 640; figure 8; figure 9, reference numeral 940). 

S. CLAIM 28 - DEPENDENT 

The subject matter of claim 28 is directed to the apparatus of claim 21 . In this claim, the 
means for adding the required permission to a permission collection includes means for adding 
the permission to a permission collection associated with the superclass permission 
(Specification p. 20, II. 12-23). 

T. CLAIM 29 - DEPENDENT 

The subject matter of claim 29 is directed to the apparatus of claim 21. In this claim, the 
means for determining if a superclass permission of a required permission is present in each 
protection domain of an access control context (Specification, p. 20, 11 7-1 1), and the means for 
adding the required permission to a permission collection if the superclass permission of the 
required permission is present in each protection domain of an access control context operate 
based on a method called by the required permission in response to an "implies" method 
operating on the required permission (Specification, p. 21, 1. 30 - p. 22, 1/21 , p. 23, L 29 - p. 24, 
L 13; figure 9, reference numerals 970, 975, 980, 985, 990, 995). 

U. CLAIM 30 - DEPENDENT 

The subject matter of claim 30 is directed to the apparatus of claim 23. In this claim, the 
means for determining the required permission based on a CodeSource associated with the 
request and means for determining the superclass permission of the required permission based on 
the required permission operate based on a security policy file (Specification p : 24, 11. 14-30; 
figure 10, reference numerals 101.0, 1020, 1030). 
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GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

A. GROUND OF REJECTION I (Claims 1-30) 

Whether claims 1-30 are anticipated by Gong et al., Typed, Parameterized, and Extensible 
Access Control Permissions. United States Patent 6,047,377 under 35 U.S.C- § 102(b). 
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ARGUMENTS 



A. The Reference Does Not Anti cipate Claims 1-2, 4. 7. 9-12. 1 4. 17. 19- 22. 24. 27. and 
29-30 

Claim I is a representative claim in this group and reads as follows: 

1 - A method of controlling access to computer system resources 
based on permissions, comprising: 

receiving a request for access to a computer system resource; 

determining if a superclass permission of a required permission is 
present in each protection domain of an access control context, wherein 
the superclass permission is a super class of the required permission; 

adding the required permission to a permission collection if the 
superclass permission of the required permission is present in each 
protection domain of the access control context; and 

granting access to the resource if the superclass permission of the 
required permission is present in each protection domain of the access 
control context. 

The Examiner has rejected this claim stating: 
Regarding claim 1 , Gong discloses: 

A method of controlling access to computer system resources based on 
permissions, comprising: 

"receiving a request for access to a computer system resource" (Figure 7 
item 750, column 6 lines 36-46, column 18 line 29 — column 19 line 36); 
"determining if a superclass permission of a required permission is present 
in each protection domain of an access control context, wherein the 
superclass permission is a super cl ass of the required permission" (column 
6 lines 36-46, column 18 lines 29-45); 

"adding the required permission to a permission collection if the 
superclass permi ssion of the required permission is present in each 
protection domain of the access control context (column 1 7 lines 1-5, 
column 1 9 lines 37-43); and "granting access to the resource if the 
superclass permission of the required permission is present in each 
protection domain of the access control context' (column 10 lines 59-67, 
column 19 lines 4-36). 
Final office action dated September 22, 2005, pp. 5-6, (emphasis removed). 

A prior art reference anticipates the claimed invention under 35 U.S.C. § 102 only if 

every element of a claimed invention is identically shown in that single reference, arranged as 

they arc in the claims. In re Bond, 910 F.2d 831, 832, 15 U.S.P.Q.2d 1566, 1567 (Fed. Cir. 
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1990). All limitations of the claimed invention must be considered when determining 
patentability. Inre Lowry, 32 F.3d 1579, 1582, 32 U.S.P.Q.2d 1031, 1034 (Fed. Cir. 1994). 
Anticipation focuses on whether a claim reads on the product or process a prior art reference 
discloses, not on what the reference broadly teaches. Kalman v. Kimberly-Clark Corp. , 713 F.2d 
760, 218 U.S.P.Q. 781 (Fed. Cir. 1983). In this case each and every feature of the presently 
claimed invention in claim 1 is not identically shown in the cited reference, arranged as they are 
in the claims. 

More specifically, contrary to Examiner's assertion, Gong et al., Typed. Parameterized, 

and Extensible Access Control Permissions. United States Patent 6,047,377 (hereinafter, 

"Gong"), does not teach the step of "determining if a superclass permission of a required 

permission is present in each protected domain of an access control context, wherein the 

superclass permission is a super class of the required permission", as recited in claim 1 . The 

Examiner cites the following sections from Gong as teaching this claimed feature: 

When the validation method is invoked for a particular permission object 
belonging to a permission subclass, the validation method indicates 
whether a given permission is encompassed by the permission represented 
by the particular permission object For example, the validation method of 
a permission object P01 may be invoked to determine whether the 
permission represented by another permission object P02 is encompassed 
in the permission represented by POl, where both POl and P02 belong to 
classes that descend from said permission super class. 

In step 754, a request is received for a determination of whether the action 
is authorized. The determination is based on the permission required to 
perform the action. In this example, the resource manager invokes an 
access controller to determine whether the permission required is 
authorized for the entity requesting access. The access controller receives 
the request and a required permission object which was transmitted by the 
resource manager. 

In step 754, the validation methods of one or more pennission objects is 
invoked in order to determine whether an action is authorized based on the 
permission required. An action is authorized if every protection domain 
object associated with an object requesting a determination of whether an 
action is authorized contains a permission represented by a permission 
object that encompasses the required permission for the action. 
Gong, col. 6, 11. 36-46; col. 1 8, 1. 29-45. 

Gong uses the term permission super class in the first cited section, but all of the relevant 
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operations described in Gong are with respect to encompassed permissions and permissions 
encompassing, but not with respect to a super class. The term super class permission is defined 
in Gong as follows: 

Because all permissions share some common attributes, it is useful and 
efficient to represent all categories of permissions with one class that is a 
super class of all permission classes. The super class for all permission 
classes is herein referred to as the permission super class. Each permission 
class is a subclass of the permission super class. 

The permission super class contains fields which represent attributes 
common to all permissions. One such field is an action field, which 
represents the action attribute common to all permissions. 

In addition to sharing attributes, the permission super class establishes a 
set of common methods that are useful for and inherited by all permission 
objects, such as a get.sub.-- action method. The common action method 
returns a value representing the action field. An implementation for the 
getsub.-- action method may be provided in the permission super class. 
According to one embodiment, the implementation for the get.sub.- action 
method simply returns the value of the action field. 
Gong, col 8, 11. 19-38. 

As can be seen, Gong defines super class in terms of commonly known object oriented 
hierarchy of classes. In a typical superclass-subclass hierarchy, the methods and attributes of a 
super class may be inherited and modified by a sub-class that derives from the super cla$$- 
However, no teaching is present to support the Examiner's interpretation of Gong in which a 
"permission represented by a permission object that encompasses the required permission'* is 
equivalent to Gong's permission super class, or a Superclass permission as recited in claim 1. 

A pennission encompassing the required pennission simply means a larger permission 
that "encompasses" or inherently includes a smaller permission, but not a "superclass" 
permission in the hierarchy o f permissions classes, Gong *s disclosure supports this logical 
construction in the following section: 

When the validation method is invoked for a particular pennission object 
belonging to a permission subclass, the validation method indicates 
whether a given permission is encompassed by the permission represented 
by the particular permission object. For example, the validation method of 
a permission object POl may be invoked to determine whether the 
permission represented by another permission object P02 is encompassed 
in the permission represented by PO 1. where both PO 1 and P02 belong to 
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classes that descend from said permission super class. In this we can 
determine whether a permission to perform a first action, represented by 
POl , authorizes a request to perform a second action, which requires a 
second permission represented by P02, by invoking the validation method 
of POl to detettnine whether the first permission represents an 
authorization to perform the requested second action. 

According to another aspect of the invention, permissions represent 
actions on targets. Thus, a first permission object can specify a first action 
and a first target, and a second permission object can specify a second 
action and a second target A determination is made of the whether the 
permission represented by the first permission object encompasses the 
permission represented by the second permission object based on whether 
the first action implies the second action and the first target implies the 
second target. In this we can determine, for example, whether a permission 
to perform a first action on a first target, represented by the first 
permission object, authorizes a request to perform a second action on 
second target, which requires a second permission represented by the 
second object, by determining whether first action implies the second 
action, and the first target implies the second target. 
Gong, col. 3, 1L 3-35 

In a superclass-subclass hierarchy, the attributes and methods of the superclass can be 
defined in mutually exclusive ways in one or more child subclasses, This property of a 
superclass entity is different from Gong's notion of an encompassing entity. For example, a 
permission PI to withdraw $300 encompasses a permission P2 to withdraw $200. However, this 
does not mean that a parent permission P that provides for only a number and an activity 
associated with that number "encompasses" the child permission number representing $300 and 
the action representing the withdrawal thereof, within the context of Gong. This example shows 
inheritance, but not "encompassing" as Gong describes the term. Gong specifically uses the term 
"encompass" and not superclass to indicate this difference, as is evident from the following 
section in Gong: 

One permission can imply another. When one permission implies another 
permission, that one permission is said to encompass the other permission. 
For example, a permission to write to a directory, such "c:/", can imply a 
permission to write to any file in the directory, such as M c:/thisftte ,! . 
Furthermore, an attribute of a permission can imply an attribute of another 
permission. For example, in some implementations, the action attribute of 
a permission to "write" implies an action attribute of a permission to 
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"read". An amount attribute of a permission to withdraw three hundred 
dollars implies another attribute of a permission to withdraw two hundred 
dollars. 

Usually, a permission encompasses another permission when all the 
permission attributes of one permission imply all the corresponding 
permission attributes of another permission. For example, a permission to 
"write" to file "d:/somefile M implies a permission to "read" from file 
"dr/somefile" because a "write" implies a "read". However, a permission to 
"write" to file "d:/somefile" does not imply a permission to "read" from 
file "d:/otherfile" because T, d:/somefile" does not imply "d:/otherfi]e". 
Gong, col. 7, 11. 30-50 

Gong teaches that when a first permission "implies" a second permission, the first 

permission encompasses the second permission This express statement in Gong describes what 

Gong means by permission encompassing the required permission The statement makes clear 

that Gong does not mean a permission super class, or superclass permission as defined in 

Appellants* specification, to be a permission encompassing the required permission. 

(Specification p. 1 8, 11. 6-17). Gong further clarifies the distinction between permission super 

class and permission encompassing the required permission within the context of Gong's 

invention in the section defining permission super class quoted below. 

Because all permissions share some common attributes, it is useful and 
efficient to represent all categories of permissions with one class that is a 
, super class of all permission classes. The super class for all permission 
classes is herein referred to as the permission super class. Each permission 
class is a subclass of the permission super class. 

The permission super class contains fields which represent attributes 
common to all permissions. One such field is an action field, which 
represents the action attribute common to all permissions. 

In addition to sharing attributes, the permission super class establishes a 
set of common methods that are useful for and inherited by all permission 
objects, such as a getsub.-- action method. The common action method 
returns a value representing the action field. An implementation for the 
getsub.-- action method may be provided in the permission super class. 
According to one embodiment, the implementation for the get.$ub -- action 
method simply returns the value of the action field. 
Gong, col. 8,11. 19-38. 
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Gong's description is careful in describing the permission encompassing the required 
permission separately and distinctly from the permission super class, not leaving room for an 
interpretation that substitutes one term for another. The Examiner, however, interprets the two 
terms - "permission super class" and "permission encompassing the required permission" - as 
interchangeable. Gong does not support Examiner's interpretatioa Gong 's ''permission 
encompassing the required permission" does not mean permission superclass" as claimed by 
Appellants. Therefore, contrary to Examiner's assertion. Gong does not teach the claimed 
feature, "determining if a superclass permission of a required permission is present in each 
protected domain of an access control context, wherein the superclass permission is a super class 
of the required permission/' Instead, Gong only teaches operations with respect to encompassing 
permissions. Thus., Gong does not teach determining if a superclass permission of a required 
permission is present in each protection domain of an access control context, wherein the 
superclass permission is a super class of the required permission as recited in claim 1 . 

In addition, the Examiner incorrectly asserts that Gong teaches another feature of claim 1 , 

"adding the required permission to a permission collection if the superclass permission of the 

required permission is present in each protection domain of the access control context" In 

support of the Examiner's assertion, the Examiner cites to the following section of Gong: 

If a protection domain is already associated with the code source, the 
domain mapper adds a mapping of the new class and protection domain to 
a mapping of classes and protection domains maintained by the domain 
mapper 448. 

. . . Typed permissions facilitate the establishment of new permissions. 
When a new category of permissions is desired, a new subclass is created. 
The particular rules or policy that govern whether the permissions granted 
a principal are encompassed by permission in the new category are 
implemented in the validation method of the new subclass representing 
permissions in the new subclass. 
Gong, col. 1 7, 11. 1-5, col. 1 9, 11. 37^43 

Examiner's assertion with, respect to this claim feature again suffers from the improper 

interchanging of the terms "permission encompassing the required permission" and "superclass 

permission" as illustrated above. The sections from Gong cited by the Examiner do not cure this 

defect in the Examiner's argument but rather re-emphasize it Cited sections from Gong actually 

maintain the consistency of separation of terms ''permission encompassing the required ■ • 
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permission" and "superclass permission", lending further support to the distinction between,, and 
non-interchangeability of, the two terms. 

Therefore, contrary to Examiner's assertion, Gong does not teach the claimed feature, 
"adding the required permission to a permission collection if the superclass permission of the 
required permission is present in each protection domain of the access control context" 

In addition, the Examiner incorrectly asserts that Gong teaches "granting access to the 

resource if the superclass permission of the required permission is present in each protection 

domain of the access control context" in claim 1 . In support of the Examiner's assertion, the 

Examiner cites the following portion of Gong: 

Next, the code in the implementation 242 ensures that each attribute of the 
permission represented by the object reference is implied by each attribute 
of the permission represented by the object whose validation method is 
invoked. For example, if the action field and the target field of the 
pennission object referred to by the object reference are identical to the 
action field and target field of the permission object whose validation 
method is invoked, then the validation method returns a true Boolean 
value. 

. . , In this example, the access controller first determines the protection 
domain associated with the first object represented on call stack 610, 
which is object a. The protection domain associated with object a is 
protection domain I. The validation method of the first permission object, 
permission object 282 (in FIG. 6), is invoked, passing in the required 
pennission object as a parameter. As mentioned earlier, the required 
permission represented by the required permission object is a permission 
to "disenable" "channel-5". When the validation method of the first 
permission object is invoked the validation method indicates that the 
required permission is not encompassed. Next, the validation method of 
permission object 286 (in FIG. 6) is invoked. The invocation of the 
validation method of permission object 286 indicates that the required 
permission is encompassed. 

The access controller then invokes the validation methods of the 
pennission objects in the next protection domain object, protection domain 
object J, in the manner described. Each invocation of the validation 
methods of pennission object 622 and pennission object 626 indicates that 
the required permission is not encompassed. 

At step 764, a determination is made of whether the action requested was 
authorized. If every associated protection domain contains a permission 
object that represents a permission encompassing the required permission, 
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then the requested action is authorized. When the requested action is 
authorized, control passes to step 768, where the action is performed 
before execution of the steps ceases. In this example, because not every 
protection domain object contained a permission encompassing the 
required permission, performance of the steps ends. The requested action 
is not executed. 
Gong, col. 10, 11. 59-67, col. 19, 11. 4-36. 

Examiner's assertion with respect to this claim feature again suffers from the improper 

interchanging of the terms "permission encompassing the required permission" and "superclass 

permission" as illustrated above. The sections from Gong cited by the Examiner do not cure this 

defect in the Examiner's argument but rather re-emphasize it Cited sections from Gong actually 

maintain the consistency of separation of terms "permission encompassing the required 

permission" and "superclass permission," thereby lending further support to the distinction 

between, and non-interchangeability of, the two terms. 

Therefore, contrary to Examiner's assertion, Gong does not teach the claimed feature, 

"granting access to the resource if the superclass permission of the required permission is present 

in each protection domain of the access control context." 

As a result Gong does not teach at least three features of claim 1 , which is a 

representative claim of this group. Consequently, Gong does not anticipate claims 1 -2, 4, 7, 

9-12, 14 5 17, 19- 22, 24, 27, and 29-30 under 35 U.S.C. § 102(b). 

B. The Reference Does Not Teach All the features of Claims 3, 13, and 23 

Claim 3 is a representative claim in this group of claims and reads as follows: 

3. The method of claim 1, further comprising: 

determining the required permission based on a CodeSource 

associated with the request; and 

determining the superclass permission of the required permission 

based on the required permission. 

The Examiner has rejected this particular claim stating: 

Claim 3 is rejected as applied above in rejecting claim 1 , Furthermore, 
Gong discloses: 

The method of claim 1, further comprising: 

"determining the required permission based on a CodeSource associated 
with the request' (column 1 4 lines 28-36, column 1 5 lines 65-67); and 
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"determining the superclass permission of the required permission based 
on the required permission" (column 6 lines 36-46, column 18 lines 29- 
45). 

Final office action dated September 22, 2005, pp. 6, (emphasis removed). 

Contrary to the Examiner's assertion. Gong does not teach the "determining the 
superclass permission of the required permission based on the required permission' 5 as recited in 
claim 3. 

Gong, in the cited section, discloses: 

When the validation method is invoked for a particular permission object 
belonging to a permission subclass, the validation method indicates 
whether a given permission is encompassed by the permission represented 
by the particular permission object. For example, the validation method of 
a permission object POl may be invoked to determine whether the 
permission represented by another permission object P02 is encompassed 
in the permission represented by POl, where both POl and P02 belong to 
classes that descend from said permission super class. 

... In step 754, a request is received for a determination of whether the 
action is authorized. The determination is based on the permission 
required to perform the action. In this example, the resource manager 
invokes an access controller to determine whether the permission required 
is authorized for the entity requesting access. The access controller 
receives the request and a required permission object which was 
transmitted by the resource manager. 

In step 754, the validation methods of one or more permission objects is 
invoked in order to determine whether an action is authorized based on the 
permission required. An action is authorized if every protection domain 
object associated with an object requesting a determination of whether an 
action is authorized contains a permission represented by a permission 
object that encompasses the required permission for the action. 
Gong, col. 6, 1). 36-46, col. 18, 11. 29-45 

Gong figure 7 is reproduced in § A, supra. 

As before, the Examiner's assertion with respect to the claim feature "determining the 

superclass permission of the required permission based on the required permission" suffers from 

the improper interchanging of the terms '"permission encompassing the required permission" and 

"superclass permission" as illustrated above. The sections from Gong cited by the Examiner do 

not cure this defect in the Examiner's argument but rather re-emphasize it Cited sections from 

Gong actually maintain the consistency of separation of terms "permission encompassing the 
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required permission 5 - and "superclass permission," thereby lending further support to the 
distinction between, and non-tnterchangeability of> the two terms. 

Assuming, arguendo, that the Examiner's assertion that Gong's permission that 
encompasses the required permission is the same as Appellants' superclass permission is correct. 
Gong still does not teach the claimed feature, "determining the superclass permission of the 
required permission based on the required permission" in claim 3 for yet another reason. The 
cited sections from Gong teach determining if the required permission is encompassed by the 
permission represented by the particular permission object being validated against. The 
operation that determines a true or false logic is vastly different from the operation that 
determines an object Gong teaches the former type of operation, and claim 3 is directed towards 
the latter. Determining a superclass permission of the required permission as the claimed feature 
does, is in effect determining an object that is an object-oriented class. An object-oriented class 
is not a Boolean value. Gong teaches determining whether a permission encompassing the 
required permission is present - an inquiry that results only in a Boolean true or false answer. 

In other words, Gong teaches whether something is present, while the presently claimed 
invention in claim 3 recites determining what something is, such as what is the required 
permission and what is the super class permission. Thus, the process taught by Gong in the cited 
sections is an entirely different process as recited in claim 3. 

Furthermore, Gong s entire disclosure fails to teach the actual determination of the 
permission super class of the required permission in the manner of claim 3. Therefore, Gong 
teaches a step of nature different from the nature of the feature claimed. Therefore, Gong does 
not teach all the features of claim 3. Consequently, Gong does not anticipate claim 3, 

Therefore, contrary to Examiner's assertion, Gong does not teach the claimed feature, 
"determining the superclass permission of the required permission based on the required 
permission." 

As a result, Gong does not teach all the features of claim 3. Additionally, claim 3 
depends from claim 1 , which Gong also does not anticipate. Consequently, Gong does not 
anticipate claims 3, 13, and 23 under 35 U.S.C. § 102(b). 
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c - The Reference Does Not Teach All the Features of Claims 5, 15, and 25 

The Examiner incorrectly applies Gong \s teaching and rejects as nonpersuasive, the 

Appellants* arguments advanced in response to prior office action rejecting claim 5. 

Claim 5 is a representative claim in this group of claims and reads as follows: 

5. The method of claim 1, wherein adding the required permission to 
a permission collection includes creating a new permission collection and 
adding the required permission to the new permission collection. 

The Examiner has rejected Appellants' prior arguments distinguishing this claim from 
Gong, asserting, 

Regarding claim 5-6, the applicant argues that the CPA does not teach 
"creating anew [sic] permission collection and adding the required 
permission to the new permission collection" and "includes adding any 
subclass permissions of the required permission to the new permission 
collection." This argument is not found persuasive. The CPA discloses 
<4 when a new category of permissions is desired, a new subclass is created' 1 
(column 19 lines 36-38), which is creating a new permission collection. 
Furthermore, the CPA teaches "the particular rules or policy that govern 
whether the permissions granted a principal are encompassed by 
permission in the new category are implemented in the validation method 
of the new subclass representing permissions in the new subclass" (column 
19 lines 38-43), which includes all the subset permissions according to the 
superclass permission. 
Final office action dated September 22, 2005, pp. 3-4. 

The Examiner is mistaking the creation of a new permission subclass that Gong teaches, 

with the creation of a new permission collection that is used in claim 5. As described in the 

specification as shown below, a '^permission collection" is a grouping of permissions defined by 

a developer 

A permission collection is a grouping of permissions defined by a 
developer. Every time a developer defines a new permission, the 
developer must also define a permission collection to which the new 
permission belongs or assume the default implementation. These 
permission collections may be assigned to classes 450 of the applet 420. 
Thus, when the classes are instantiated, the JVM looks at the permission 
collections assigned to the classes and generates a protection domain based 
on the assigned permission collections. 
Specification p. 14, 11. 6-15. 

Even assuming, arguendo, that the permission collection in claim 5 is comparable to any 
of Gong 9 s entities, the permission collection in claim 5 may only be equivalent to Gong *$ 
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Protection Domain Object class and/or subclasses, but not the Permission subclass. Therefore, 

contrary to Examiner's assertion, creating a new permission subclass in Gong does not teach the 

feature "creating a new permission collection and adding the required permission to the new 

permission collection" of claim 5. 

Furthermore, the citation to column 19, lines 38-43 of the reference is irrelevant to the 

claimed features of claim 5. The section cited from Gong states: 

In this example, because not every protection domain object contained a 
permission encompassing the required permission, performance of the 
steps ends. The requested action is not executed. 

Typed permissions facilitate the establishment of new permissions. When 
a new category of permissions is desired, a new subclass is created. The 
particular rules or policy that govern whether the permissions granted a 
principal are encompassed by permission in the new category are 
implemented in the validation method of the new subclass representing 
permissions in the new subclass. 
Go*g,coi. 19, U. 38-43. 

As can be seen, the cited Gong section pertains to the implementation of the policies that 
govern whether the permissions granted a principal are encompassed by permission in the new 
category in the reference embodiment Teachings from this section of Gong have no bearing on 
the features of claim 5 in which adding the required permission to a permission collection 
includes creating a new permission collection and adding the required permission to the new 
permission collection. 

Therefore, the Examiner has rejected claims 5, 15, and 25 based on an incorrect 
understanding of the claimed invention and the reference. 

D - The Referen ce Does Not Teach All the Features of Claims 6. 16, and 26 

Claim 6 is representative of claims 16 and 26, and reads as follows: 

6. The method of claim 5, wherein adding the required permission to 
a permission collection further includes adding any subclass permissions 
of the required permission to the new permission collection. 

Because claim 6 depends from claim 5, the same distinctions between Gong and the 
invention of claim 5 can be made for claim 6 as well. 
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The Examiner further rejects claim 6 as being anticipated by Gong citing a different 
section. 

The Examiner has rejected this particular claim stating: 

Claim 6 is rejected as applied above in rejecting claim 1. Furthermore, 
Gong discloses: 

The method of claim 5, wherein adding the required permission to a 
permission collection further includes "adding any subclass permissions of 
the required permission to the new permission collection" (column 16 line 
56 — column 17 line 13). 
Final office action dated September 22, 2005, p. 7, (emphasis removed). 

Gong, in the cited section, discloses: 

The domain mapper object 448 contains a mapping between classes and 
protection domains objects. Protection domain objects 482 contain a set 
of permissions. Protection domain objects are associated with the 
permission objects they contain, and with the classes to which a protection 
domain object is mapped to by domain mapper object 448. 

Protection domain objects 482 are created when new classes are received 
by code executor 410. When a new class is received, domain mapper 448 
determines whether a protection domain is already associated with the 
code source. The domain mapper maintains data indicating which 
protection domains have been created and the code sources associated with 
the protection domains. Tf a protection domain is already associated with 
the code source, the domain mapper adds a mapping of the new class and 
protection domain to a mapping of classes and protection domains . 
maintained by the domain mapper 448. 

If a protection domain object is not associated with the code source of the 
new class, a new protection domain object is created and populated with 
permissions. The protection domain is populated with those permission 
that are mapped to the code source of the new class based on the mapping 
of code sources to permissions in the policy object Finally, the domain 
mapper adds a mapping of the new class and protection domain to the 
mapping of classes and protection domains as previously described. 
Gong, col 16, 1. 56 - col. 1 7, 1. 13 

The cited section from Gong fails to suggest the claim feature "adding any subclass 

permissions of the required permission to the new permission collection." Gong adds only the 

permission that is being requested but does not teach or suggest adding subclasses of the 
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permission being requested to the permission domain object The Gong disclosure as a whole 
also does not teach or suggest adding permission subclasses to the permission domain object 
Therefore, Gong does not teach the features of claim 6. 

As a result, Gong does not teach all the features of claim 6. Consequently, Gong does not 
anticipate claims 6, 16 and 26 under 35 U.S.C. § 102(b). 

E. The Reference Does Not Teach AM the Features of Claims 8, 18. and 28 

Claim 8 is a representative claim in this group and reads as follows: 

8. The method of claim 1 , wherein adding the required permission to 
a permission collection includes adding the permission to a permission 
collection associated with the superclass permission. 

The Examiner has rejected this particular claim stating: 

Claim 8 is rejected as applied above in rejecting claim 1. Furthermore, 
Gong discloses: 

The method of claim 1, wherein adding the required permission to a 
permission collection includes "adding the permission to a permission 
collection associated with the superclass permission" (column 16 line 
56 — column 17 line 13). 
Final office action dated September 22, 2005, p. 7, (emphasis removed). 

Gong sections cited by the Examiner have been reproduced in § C 5 supra. 

The cited section of Gong fails to teach the claim feature "adding the permission to a 
permission collection associated with the superclass permission." Gong teaches adding only the 
permission being requested to the permission collection but no association is present between the 
permission collection and the superclass permission as recited in claim 8. Furthermore, this 
association is not suggested anywhere in the entire Gong disclosure. Therefore) Gong does not 
teach or suggest that the permission collection is associated with the superclass permission. 

In addition, even if the Examiner's assertion that Gong *s permission that encompasses the 
required permission is the same as Appellants' superclass permission could be considered correct 
for argument's sake, Gong does not teach "adding the permission to a permission collection 
associated with the superclass permission" as recited in claim 8 for another reason. The cited 
section from Gong teaches adding the required permission to the new or existing protection 
domain object associated with the code source of (he new class associated with the requested 
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permission. Only for the sake of clarity in drawing the distinction, Gong's protection domain 
object will he considered an equivalent of permission collection feature of Appellants' claims. 

Appellants do not concede that such is the case, but wilt refer to both objects as 
permissions collection in the following analysis. 

Gong teaches adding permissions to a permissions collection based on the code source of 
the new class associated with the requested permission, and not based on the super class of the 
requested permission. The two method s of adding the permission to permissions collection are 
distinct from each other. The code-source-method for addition is necessarily implemented 
differently from the superclass-permission-method in software programming. A method for 
adding permissions to permissions collection encoded in the first way will not be structurally 
identical, nor work logically the same, for the second. The two methods involve different entities 
to test upon and therefore cannot be substituted one for the other in order to add required 
permission to permissions collection* 

Gong discloses another method for adding permissions to permissions collection. In the 

relevant section quoted below, Gong states: 

Another method, add.$ub.-- permission, adds a permission object to the set 
of permission objects contained in the PermissionCollection object. The 
add.sub.- permission method has a parameter of the type Permission. In 
the case of a homogenous PermissionClass object, for example, the 
method to add a permission object does not add a permission object if it is 
not of the same type (i.e. class) as any other permission object already 
contained in the PermissionCollection object. TTie method returns a 
Boolean flag indicating whether or not a permission object was added. 
Gong, col. 12, 11 15-24. 

The disclosure in this section also does not teach adding permission to permissions 

collection based on the superclass permission of the required permission. This method, the only 

other method disclosed in Gong for adding permissions to permissions collection, tests whether 

the permission to be added is homogeneous with the other permissions existing within the 

permissions collection. In other words, this method adds a permission to a permissions 

collection only when the permission being added is of the same class as the other permissions in 

that permissions collection. Again, the code for testing for a match between the class of the 

required permission and the classes of the existing permissions, does not look or function the 

same as the code to test for association of the permissions collection with the superclass 
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permission of the required permission. Teaching the foimer test, as Gong does, will not enable a 
person of ordinary skill in the art to make and use the invention based on the later test, as 
Appellants do. 

As a result, Gong does not teach all the features of claim 8, Therefore, Gong does not 
anticipate claim 8 under 35 U.S.C § 102(b). 

CONCLUSION 

For the foregoing reasons, Gong does not anticipate claims 1-30 under 35 U.S.C § 
102(b). Therefore, Appellants respectfully urge that the Board of Appeals reverse the rejection 
of claims 1 -30 under 35 U.S.C. § 102(b) and allow the claims. n fi 




Rakesh Garg 
Reg. No. 57,434 
YEfc & ASSOCIATES, P.C 



POBox 802333 
Dallas, TX 75380 
(972) 385-8777 
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CLAIMS APPENDIX 

The text of the claims involved in the appeal reads: 

1. A method of controlling access to computer system resources based on permissions, 
comprising: 

receiving a request for access to a computer system resource; 

determining if a superclass permission of a required permission is present in each 
protection domain of an access control context, wherein the superclass permission is a super 
class of the required permission; 

adding the required permission to a permission collection if the superclass permission of 
the required permission is present in each protection domain of the access control context; and 

granting access to the resource if the superclass permission of the required permission is 
present in each protection domain of the access control context. 

2. The method of claim 1 , wherein the request is received from bytecode. 

3. The method of claim t, further comprising: 

determining the required permission based on a CodeSource associated with the request; 

and 

determining the superclass permission of the required permission based on the required 
permission- 
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4. The method of claim 1 , wherein determining if a superclass permission of a required 
permission is present in each protection domain includes determining if at least one permission 
collection in each protection domain includes the superclass permission. 

5. The method of claim 1 , wherein adding the required permission to a permission collection 
includes creating a new permission collection and adding the required permission to the new 
permission collection. 

6. The method of claim 5 3 wherein adding the required permission to a permission collection 
further includes adding any subclass permissions of the required permission to the new 
permission collection. 

7. The method of claim 1 , further comprising retrieving the access control context for a 
thread of execution that sent the request for access to the computer system resource* 

8. The method of claim 1 , wherein adding the required permission to a permission collection 
includes adding the permission to a permission collection associated with the superclass 
permission. 

9. The method of claim 1 , wherein the steps of determining if a superclass permission of a 
required permission is present in each protection domain of an access control context, and adding 
the required permission tp a permission collection if the superclass permi ssion of the required 
permission is present in each protection domain, of an access control context are performed by a 
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method called by the required permission in response to an implies method operating on the 
required permission. 

10. The method of claim 3, wherein the steps of determjjoing the required permission based 
on a CodeSource associated with the request and determining the superclass permission of the 
required permission based on the required permission are performed based on a security policy 
file. 

11. A computer program product in a computer readable medium for controlling access to 
computer system resources based on permissions, comprising: 

first instructions for receiving a request for access to a computer system resource; 

second instructions for determining if a superclass permission of a required permission is 
present in each protection domain of an access control context, wherein the superclass 
permission is a super class of the required permission; 

third instructions for adding the required permission to a permission collection if the 
superclass permission of the required permission is present in each protection domain of the 
access control context; and 

fourth instructions for granting access to the computer system resource if the superclass 
permission of the required permission is present in each protection domain of the access control 
context 

1 2. The computer program product of claim 1 1 , wherein the request is received from 
bytecode. 
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1 3 . The computer program product of claim 1 1 , further comprising: 

fifth instructions for determining the required permission based on a CodeSource 
associated with the request; and 

sixth instructions for determining the superclass permission of the required permission 
based on the required permission. 

1 4. The computer program product of claim 1 1 , wherein the second instructions for 
determining if a superclass permission of a required permission is present in each protection 
domain include instructions for determining if at least one permission collection in each 
protection domain includes the superclass permission- 

15. The computer program product of claim 1 1 , wherein the third instructions for adding the 
required permission to a permission collection include instructions for creating a new permission 
collection and instructions for adding the required permission to the new permission collection. 

16. The computer program product of claim 1 5 ? wh erein the third instructions for adding the 
required permission to a permission collection further include instructions for adding any 
subclass permissions of the required permission to the new permission collection. 

1 7. The computer program product of claim 1 1 , further comprising fifth instructions for 
retrieving the access control context for a thread of execution that sent the request for access to 
the computer system resource. 
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1 8. The computer program product of claim 1 1 , wherein the third instructions for adding the 
required permission to a permission collection include instructions for adding the permission to a 
permission collection associated with the superclass permission. 

19. The computer program product of claim 1 1 , wherein the second and third instructions are 
part of a method called by the required permission in response to an implies method operating on 
the required permission. 

20. The computer program product of claim 1 3, wherein the fifth and sixth instructions are 
executed based on a security policy file. 

21 . An apparatus for controlling access to computer system resources based on permissions, 
comprising: 

means for receiving a request for access to a computer system resource; 

means for determining if a superclass permission of a required permission is present in 
each protection domain of an access control context, wherein the superclass permission is a super 
class of the required permission ; 

means for adding the required permission to a permission collection if the superclass 
permission of the required permission is present in each protection domain of the access control 
context; and 

means for granting access to the computer system resource if the superclass permission of 
the required permission is present in each protection domain of the access control context. 
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22. The apparatus of claim 2 1 , wherein the request is received from bytecode. 

23. The apparatus of claim 21, further comprising: 

means for determining the required permission based on a CodeSource associated with 
the request; and 

means for determining the superclass permission of the required permission based on the 
required permission. 

24. The apparatus of claim 21 , wherein the means for determining if a superclass permission 
of a required permission is present in each protection domain includes means for determining if 
at least one permission collection in each protection domain includes the superclass permission* 

25 . The apparatus of claim 2 1 , wherein the means for adding the required peimission to a 
permission collection includes means for creating a new permission collection and means for 
adding the required permission to the new permission collection. 

26. The apparatus of claim 25, wherein the means for adding the required permission to a 
permission collection further includes adding any subclass permissions of the required 
permission to the new permission collection. 



27. The apparatus of claim 2 1 , further comprising means for retrieving the access control 
context for a thread of execution that sent the request for access to the computer system resource. 
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28. The apparatus of claim 21 , wherein the means for adding the required permission to a 
permission collection includes means for adding the permission to a permission collection 
associated with the superclass permission. 

29. The apparatus of claim 2 1 ? wherein the means for determining if a superclass permission 
of a required permission is present in each protection domain of an access control context, and 
the means for adding the required permission to a permission collection if the superclass 
permission of the required permission is present in each protection domain of an access control 
context operate based on a method called by the required permission in response to an implies 
method operating on the required permission. 

30. The apparatus of claim 23 , wherein the means for determining the required permission 
based on a CodeSource associated with the request and means for determining the superclass 
permission of the required permission based on the required permission operate based on a 
security policy file. 
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EVIDENCE APPENDIX 

No evidence needs to be presented. 
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RELATED PROCEEDINGS APPENDIX 

No related proceedings are pending. 
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